SAN FRANCISCOÂ â The shadowy organization believed to be behind the world’s largest ransomware attack may represent a new cyberwar front to the escalating tensions between North Korea and the West. But it may just beÂ about cold, hard cash.

In the days after an unnamed organization unleashed a virulent form of malwareÂ that paralyzed computers in 150 countries, cybersecurity researchers poring over the WannaCry malware’s code and earlier, similarÂ viruses noted a resemblance that amounted to a digital trail of breadcrumbs pointingÂ to what’s known asÂ The Lazarus Group.

The group â described by some researchers as a criminal hacking contractor Â â may haveÂ ties to North Korea, raising the specter that the regimeÂ was escalating its use of cyber missiles alongside its ballistic missile launches.

But the hackers’ group, whether working on behalf of North Korea or not, also wanted to raise money: $300 in bitcoin per frozen computer, according to victims like the U.K. National Health Service, Spain’s Telefonica and U.S. shipper FedEx. And that would fit the profile of aÂ communist countryÂ that is cash-strapped, say security experts, evenÂ though this particularÂ ransomware scam has collected a scant $70,000 so far.

âThe Lazarus group appears to be a contractor in the area of cyber mischief, but they seemÂ to straddle the worlds of politics and crime,” says John Arquilla, chair of defense analysis at the Naval Postgraduate School in Monterey, Calif.Â “I would call them a strategic criminal actor,â Arquilla says.

It may not be linked to North Korea at all. Gartner senior cybersecurityÂ analyst Avivah Litan says some of her sources indicate its leaders mightÂ be in Russia, with workers spread throughout the globe.

Sleuthing to stop and then trace the malware started early Friday, in the hours after an early morning attack started to hit computer networks in Europe and Asia.Â A ransomware program, dubbed WannaCry, was spreading rapidly across networks running older versions Microsoft Windows, locking up screens with demands of payments.

âWhy would they be doing this? The answer is money,â said T.J. Pempel, a professor of political science at the University of California-Berkeley and expert on North Korea. Much of North Korean’sÂ population is near starvation, with little industry and an enormous proportion of the nationâs wealth going towards the military, he says.Â In the past it has made money selling weapons and attempting to sell nuclear technology. So itâs not inconceivable that itâs moving into cyberspace as a possible source hard currency with which to prop itself up, Pempel said.

After a seven-hour rampage, WannaCry was stopped Friday afternoon by a 22-year-old London-based security researcher working at Kryptos Logic, Marcus Hutchins,Â when he registered an Internet address the code used to test whether it was under surveillance. Enterprises rushed to install code patches Microsoft had made available. Those that did were protected against the hundreds of copy-cat variants of the program thatÂ sprouted after the initial launch. Those that werenât found themselves locked out of their data. The onslaught hit 200,000 computers, chiefly in Europe and Asia. It thenÂ petered out for the start of the U.S. workweek.

By Tuesday, the Department of Homeland Security was saying fewerÂ than 10 companies in the U.S. were reporting disruptions related to the global cyber attack.

Security researchers, meanwhile, were busy trying to find outÂ whodunnit, posting their clues and successes to twitter and blogs. Google security researcher Neel Mehta Monday tweeted a similarity between traces of computer code in the WannaCry ransomware that was similar to a previous hacking event linked to the LazarusÂ Group. Cybersecurity firms Kaspersky Labs and Symantec confirmed the connection, and Symantec pointed to a second link: evidence that earlier versions of the malware were found on machines that showed evidence of the Lazarus Group tools.

Some of those tools had been used in attacks on Sony Pictures Entertainment in 2014, the massive theft of personal and corporate data that the Obama Administration eventually blamed on North Korea, plus the cyberheist of Bangladesh’s central bank in 2016 that netted more than $80 million and multiple assaults on Polish banks in February.

Eric Chien, technical director of Symantec Security Response, saysÂ it does not have enough evidence to conclusively pin the attack on Lazarus, but would not dismiss a link. It still requires a week or two of more research, he said.

The links raise multiple questions, only a few of which have been answered: Does Lazarus GroupÂ work for the North Korean government or is it independent? And what does it hope to accomplish?

North Korea is one of a handful number of countriesÂ âÂ Russia, China and Iran are othersÂ âÂ with âoffensively advanced cyberattacking capabilities,â says Robert Silvers, former assistant secretary for cyber policy at the U.S. Department of Homeland Security under the Obama Administration.

âWhat is alarming is they are willing to use them and not be constrained,â Silvers says. âItâs becoming clear North Korea is turning to the cyber domain to operate and achieve its political and criminal objectives. It doesn’t seem concerned about being caught; there is a sense of impunity to it.â

Deepening the intrigue is the United States role in the formation of the malware.

MicrosoftÂ has blamed the National Security Agency for stockpiling cyberweapons that were then stolen and used to form theÂ attack, a scenario echoed by cybersecurity firms. A hacking group called the Shadow Brokers said it hacked the Equation Group, believed connected to the NSA, in August and posted what it found â vulnerabilities to Windows code â online after first trying to sell them.

U.S. Administration officials have denied the agency created the malware, while sidestepping the question of whether it may have once held the vulnerability that later formed WannaCry.

The murky underworld of the Dark Web has left analysts connecting the dots.

âItâs a matter of suspicions and implications,” said the Naval Postgraduate School’s Arquilla.Â “We donât really have CSI-Cybercrimes just yet.”